From patchwork Sat Feb 15 19:00:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4147 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9b51:b0:5e7:b9eb:58e8 with SMTP id b17csp932203max; Sat, 15 Feb 2025 11:00:51 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXM3uMCHoAzofHli8a4qcgyWMhTkrdChVEIFSrZeaLT5uJ/iNoII0hoVJFAXodMpz7vR5+CdCnHI/I=@openvpn.net X-Google-Smtp-Source: AGHT+IE+BuDPVqquvMHidO94cPNlmF0+IcDytY9+HANBHUjpyiflGQrcIyrUJimCLQA6Q/YuupjU X-Received: by 2002:a5e:8f41:0:b0:841:ab27:acac with SMTP id ca18e2360f4ac-855651b8463mr806668939f.2.1739646051407; Sat, 15 Feb 2025 11:00:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1739646051; cv=none; d=google.com; s=arc-20240605; b=gWgCtJmON+8HkFcQVPyw2oR97R1RMtVoy8EbXvsPpgV53K7d1yR71UZI9oHOiCLd2X J/nG6gw/QMvHBuYODMu4HzeuHAcO/km7s7XQ/ZSvNZJWyZlsvt6xYGvblE7SDOHl7YY/ vxE9SXxUcyWdI2y2ZXiB1/ZLw9qUyvF3i8XzOx1LDUaQ7Qo1zDq1Wv1NKxkRr1k27Lqe LsdRBHTmzmH/5wcYqmZn1ZwDStUVDwYbCU2qwmHeUH3ixdfMSqrf/Itnh3yd8Do+uB9c RrZvYOOCmPq51HzCgJOMpY1WQHI4/5PPJBlABAsTLaRDhxIL0y+eW2CYXGAOeT5btohq lPow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:references:to :content-language:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=ErfvikqDhNumBFXlUOOmnvb5yZcnKQn1NE4Ek5SX57U=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gY/oHg6OZGn9l0V6EnfCfYLkP6bfbruq5SwgZKaHSprx8iftmOXqXb0TbRr/ogbuwT T23KHk1NKbfFU6u0/wJs/F4/LINqrulcHOFU7IK6/NpSznABUQPsU7eU9qs94yFbLiOD ZH+iHx6uQdHRd16QTHQufujlAmAw77yh5wSu5XUxk2BFxWZD7D2CKBjM7Fg8ZQJlIbyU luD4SGzvZ75zVAYS4yUY5/O7apDITbgm6bXzXee1vQRFPM/+JUR0YyOwJoXejmEG7Yrf P5cif+8aFE5VgnEoijBZohcTAPSzp75NJIeV9nZF8/+u3rw5pSJUYdvKTJVDtSnJQZje FZfA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FhqAHWTe; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OBdGg4ZY; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="A/EsCAWU"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4ee7db74702si1939090173.34.2025.02.15.11.00.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 15 Feb 2025 11:00:51 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FhqAHWTe; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OBdGg4ZY; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="A/EsCAWU"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tjNPC-000592-ON; Sat, 15 Feb 2025 19:00:47 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tjNPB-00058n-Jn for openvpn-devel@lists.sourceforge.net; Sat, 15 Feb 2025 19:00:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g8BjFYIuApOy0gyNKmPmu5W487/upATlvLSr2z5LIJg=; b=FhqAHWTeWl1/D1N6Dx7pwBndgw axJsUFkL4XQKsMZYTuVM/LqdnicsnqHElVN+hLbvnxbDO6YPtsENCJIDFgB67PBxcKdFoBJnAY7Jt eachORsyAAD+reDpDPm6fULovPZg64s6P23Zx2a812J1X/X6weSFgUeMlIipbt5Ery+4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g8BjFYIuApOy0gyNKmPmu5W487/upATlvLSr2z5LIJg=; b=OBdGg4ZYCH0bVa4t5+qMq81wEr OcfFaai2DaDDJOSvXSVBYKNFxsS7YVuHH5UKiDuIw1v3fxHB3hlVQ+tJzfwcQAgzdUJrxGk/Gz6ld l9DT/x6UQJP1m8tNrbUZqZ5JzBD63SfecfiUdi5q8lmvt+chHzZcxknxaRy4g0MJACgk=; Received: from mout.gmx.net ([212.227.17.22]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tjNPB-000731-D5 for openvpn-devel@lists.sourceforge.net; Sat, 15 Feb 2025 19:00:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1739646034; x=1740250834; i=corubba@gmx.de; bh=g8BjFYIuApOy0gyNKmPmu5W487/upATlvLSr2z5LIJg=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=A/EsCAWUJZFA+tNpYU56vqBI3c9fPEEPNcrueZAUYio1STdp4PKpUohcjjEgopoT FcVwVbLF8b+lNWD7SA1YKnuVPM8UwqKxrFIprxbwXR3y/lMlRM3dO/eVnf6uH05Nv /Kpx9uI4vlT0aGpLALOAfNjKJ27duay3e1etLInCHz2MELLjWUVnWVE9O8xgSDVqp PHY2tiRHGx23FMSY5qRlv5YlTqDxhV/jM2ijsTNOdhGhiqVr5+xXQhAz7JjVWh5KO 78jCOv4UcSof2Oq1A+CgeyNTwHqSQT878f1mOSivcVOw2YNMW4F6NhP3ExeZQ5SCr EmXYRZX/gFVduXdbBg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.182]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MaJ81-1tp3tE3X4H-00MwJw for ; Sat, 15 Feb 2025 20:00:33 +0100 Message-ID: Date: Sat, 15 Feb 2025 20:00:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: de-CH To: openvpn-devel@lists.sourceforge.net References: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> In-Reply-To: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> X-Provags-ID: V03:K1:U985564Grce1r1fFK3MRh9YCm0R8xvgejeIjDHQDu9IKfOAO5te GxDgEwu4eFrUK8R+sjlk4RYC/+lzYcghYjMdZwDA1J8o8k3LgazzrRjtMBDrLLIJyZ1B72y 6b0MpihKaPaEtRCrsdMVAzetkBRZhKeLUaAhXTS99j7JHe8Q0Y+EQVOtfnhfwuvuVQKQiTr w4c0UTn0sO8WHdAf/7Ssw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:i7lNX1JScTs=;wRLThgERfWLs6TBsvqkQo1vJhFh gExa1MPALF+aNqAtVZzmnW86cX1B2dBZYw906sDL3c2fpZvDupcz3x130I6M0Xgoyu7WR+zPf khu3UOJkyuLnkLw1uPhpD+e4WObm0aqq1be8M9iFFcPmywgrOcapGRoP4jcgYhC0Fw4EPrjMV 21paJDeL2d2y5YEOyjR24Z7iySkfdcPetgJ2gcX6MLR7dwRd3khywD2EpqXyECZDejif2ue7k 7l0Efj4nPahSgmFTg1oIx+ZwSqIEmzDA5LNNnSHjWli/xrnKClAyygo1TE4BzsZ2ECNPsiKJI d4Q8YnwKS36nQA71OGn139WNMAm9FCwZATBoQDhzfPatNrkciGn9trm7hTb+2MqElOBal7One AtrQxZKVp3Z06QoS5MkEojkr/YDyPr+t2ROhU8xXwtgevuz0oPF2Qd7sLZrJnQsDP5/V8ITsu AEdXOTjRrcZAeCGjPgaXGhnOYIlVAT8rNKi9Pd64acvdrhe6kAa26v8jDlJbsM1biDdtYeNko 2UEAjpzSWou8KBHOlwvwIQ83BKzGwYXFiokN6+Wru1HeFDyE4BccP6n3XSbTduBXAdgf0JHDo ob1PcbYIgPaIeRcxdIq57EmRVPesRjSzq1MZkp7XJZWdZgbDGqsYwHvhyPlEaflFS5t3gGX1q dD7JzG9PE8FGR2dsH2U0sbr7j/y0CPLWBl23cyJwQHXF91WSxg8NmpDOoPnqpYg2xtIZiUokP fRoKCnN/diOeqXi/5raEjK7fDLp+pCXyAZ2HcHElN7rnCSb6BRCdXtWXLlvsOKGpGx/A60t26 X+WX1j1QcuMG3fKttdhXpHDOWlVEYIR3iOSSRVN7tUaTAK2cC2mifByAGVZdr+sf+vphlFTXo K2CADn6Aa9lgLNqHtcNUVGptSxA0mS8QV/u3ik6qhY+NOckUdi5uZrouOHQoyHmUuUKbt4Y6I s2wVIftzdp6Riy7JQgqmPRTZq7eR4JJlKD2e23g818RKc8glei+LKuuDlEt/WT1xI+aI/ad+/ HRARtnLLPPyAZK2rAqXzEd0EIXOFcYSriVRlDKyjJ547z937kMthmxyKmHkOzBNGtem+/ud0Y cg4Jqbba3YKNjCb/HOkMaJeNSbRU7p4vB/8f1iTSLx8mWEoJ+RU9la1B6HbQtnAb1WUUyJDG4 iRuRfHQrJE+gUEiyd+fKTXB33am9gFt9Ug8ZexciEPcnpVWAfiTnuKiw6RHWt2Y5hsMGf9/C7 SvpRKO9SXwZtJVWIIcK8gtECTyg0gKALdjgBkfc0vIRJt7+zVH4Teu5J3j6AArdL5cnhEKVxe rP3Y0oWXARZzajequUwgUxnxe2Knn3T7jnCsUYfpIOqi/uUwl3gsPIYe0SfthnvZS1041aqhj fyzYB2io3nJWyy6bWwVrZDP42cilRuQyn4SeI7fXiGZtG8U6Z5QxoXLg2cRTvXICD3lo0dTpr URTfTeg== X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The uppercasing was first introduced together with the x509-username-field option in commit 935c62be, and first released with v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad82 [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.22 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.22 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tjNPB-000731-D5 Subject: [Openvpn-devel] [PATCH 1/2] Remove x509-username-fields uppercasing X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1824151098447505201?= X-GMAIL-MSGID: =?utf-8?q?1824151098447505201?= The uppercasing was first introduced together with the x509-username-field option in commit 935c62be, and first released with v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad82 and release v2.4.0 in 2016. It think it is time to finally remove it. This deprecated feature prevents you from using non-extension all-lowercase fieldnames like `name`, because these are converted to uppercase and then cause an error. The deprecation warning is also shown in cases where there is no actual uppercasing happening, for example with numerical forms (aka oids) like `2.5.4.41` (oid of `name`). Signed-off-by: Corubba Smith Acked-by: Gert Doering --- Changes.rst | 5 +++++ doc/man-sections/tls-options.rst | 6 ------ src/openvpn/options.c | 27 +-------------------------- 3 files changed, 6 insertions(+), 32 deletions(-) -- 2.48.1 diff --git a/Changes.rst b/Changes.rst index e0118111..bcc64fca 100644 --- a/Changes.rst +++ b/Changes.rst @@ -92,6 +92,11 @@ Compression on send ``--allow-compression yes`` is now an alias for ``--allow-compression asym``. +User-visible Changes +-------------------- +- ``--x509-username-field`` will no longer automatically convert fieldnames to + uppercase. This is deprecated since OpenVPN 2.4, and has now been removed. + Overview of changes in 2.6 ========================== diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index cdb85716..7882e924 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -763,12 +763,6 @@ If the option is inlined, ``algo`` is always :code:`SHA256`. Only the :code:`subjectAltName` and :code:`issuerAltName` X.509 extensions and :code:`serialNumber` X.509 attribute are supported. - **Please note:** This option has a feature which will convert an - all-lowercase ``fieldname`` to uppercase characters, e.g., - :code:`ou` -> :code:`OU`. A mixed-case ``fieldname`` or one having the - :code:`ext:` prefix will be left as-is. This automatic upcasing feature is - deprecated and will be removed in a future release. - Non-compliant symbols are being replaced with the :code:`_` symbol, same as the field separator, so concatenating multiple fields with such or :code:`_` symbols can potentially lead to username collisions. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3ae44dbe..6b2dfa58 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -9395,37 +9395,12 @@ add_option(struct options *options, #ifdef ENABLE_X509ALTUSERNAME else if (streq(p[0], "x509-username-field") && p[1]) { - /* This option used to automatically upcase the fieldnames passed as the - * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is - * fine-tuned by only upcasing Subject field attribute names which consist - * of all lower-case characters. Mixed-case attributes such as - * "emailAddress" are left as-is. An option parameter having the "ext:" - * prefix for matching X.509v3 extended fields will also remain unchanged. - */ VERIFY_PERMISSION(OPT_P_GENERAL); for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { char *s = p[j]; - if (strncmp("ext:", s, 4) != 0) - { - size_t i = 0; - while (s[i] && !isupper(s[i])) - { - i++; - } - if (strlen(s) == i) - { - while ((*s = toupper(*s)) != '\0') - { - s++; - } - msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " - "--x509-username-field parameter to '%s'; please update your " - "configuration", p[j]); - } - } - else if (!x509_username_field_ext_supported(s+4)) + if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4)) { msg(msglevel, "Unsupported x509-username-field extension: %s", s); } From patchwork Sat Feb 15 19:01:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4148 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9b51:b0:5e7:b9eb:58e8 with SMTP id b17csp932833max; Sat, 15 Feb 2025 11:02:01 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWcsaC/aL76tJ/XQTFQEi8FI1ua1DpvW/Woc0jdFEXgUX/PpE9D2Y1oKeUxc9Vw4s23/MY5JqNpnVk=@openvpn.net X-Google-Smtp-Source: AGHT+IF3ndKCu+mrnByU8vZ5BPSN/Dis8cZPf0J6dzIfJQS9NxfTK0EJpmnNZD3S7+nh7/ElYHWs X-Received: by 2002:a05:6e02:1569:b0:3d0:17d2:a02c with SMTP id e9e14a558f8ab-3d280a260ddmr29972485ab.20.1739646121498; Sat, 15 Feb 2025 11:02:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1739646121; cv=none; d=google.com; s=arc-20240605; b=KUzBLcJWh8oMqJe+77ZMVp681a+dnHGoSask5xOUbfKT1XNfxGpIGNHoplKLaJqoJQ ojHl3Wcc72Vsk45EN2j2/obLEsliQDtM7nasMCUSxh1lbdR1zhfzcrW158j2GdPZO89C TI0pMeWgfuxYyVANJPEDzOH1izl7QVd3CQMMVDGJAX+/Lu5H9JdYwrSmIHbDrUIa+P37 X/IVBBZ9ug36izmf+MCgvpRZuYTgm065SllYl8XFx+c2JeoGlK4qcLdKsTl2Sk/P2h/R dol2WJS+2HD241WPFfE2yHODmau449A+m1msgePZp4Obdnr5XXEQBwfnkhf0wFB3UuQZ pLdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:content-language :references:to:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=/6N3QioTNG1WI1ZvXjJTcNkRvd+RREY9pzYqHBcc1KU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=S6vIJsjWFE9n37rDMxr269yPpuUJoD6DKi18XJ01yl0HTTkptIInqCxrxvn+Szzzqo 7JTTdydGq3+x5tr3VV1+2tCwQ4W4K58XBeA28bC9Fwv5HOA0YVx475rWvY5sPz/WeVg2 s+ucgFoJtU5wFf8LH7isxsgACpaFvGQKfQjiEO6bPJiRrN4L0EdVf7kBuuyi18G7KEvT gHTLg1E3qCmeak0o/QCg0Paz6rHjBO/WAO1X+2ZhCACBSeb1lSO3Lwt5wPrk0Yqr+bKB Fyd48mwVbwRx8vIxEXFqPzPsHUpuNJD/0g1k2LZv2JzQEUvxTppaDtStOauur1to6WZZ Iw0Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bDtRJOwq; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JcufYE+r; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=OF8eW1MT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e9e14a558f8ab-3d18fb8cfb2si37414795ab.142.2025.02.15.11.02.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 15 Feb 2025 11:02:01 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bDtRJOwq; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JcufYE+r; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=OF8eW1MT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tjNQN-00057b-9p; Sat, 15 Feb 2025 19:01:59 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tjNQL-00057U-Ua for openvpn-devel@lists.sourceforge.net; Sat, 15 Feb 2025 19:01:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cfdyynXQDQ2jIK2RQACi0oO55mpSiqKdby91MV+Fl+4=; b=bDtRJOwq27qkEZlDRhaRzcW1BI jCA+YFPNUe5bkgyxSW9ZneM89kGveD/Jlnt5LEK2HdYUr6Gnzc3iVuv9B6GUGNfHlJ3TkvLwXGp3R Ziagfa0FDWtYQB7zPUyVqVr7KP9R26WjhOCbK+Xympbz8ovvipxJn0KLHttl6D06oi0E=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=cfdyynXQDQ2jIK2RQACi0oO55mpSiqKdby91MV+Fl+4=; b=JcufYE+rcaibWCbBLLhWEUU6E0 prw36rcbTjnSNNWc1JNNOHUJMObVAzMEPRJxRH24UkS25veCmYkJbr/huHFVDV01eNXOMwTFlJt7J Ss+Bu76oFeTAzRbcuVm5cVF51M2QWLtIJZzWCAHd5WoD2CDzvFb/C1vnZQJyqtd3Tjp8=; Received: from mout.gmx.net ([212.227.17.20]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tjNQK-00078w-U6 for openvpn-devel@lists.sourceforge.net; Sat, 15 Feb 2025 19:01:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1739646105; x=1740250905; i=corubba@gmx.de; bh=cfdyynXQDQ2jIK2RQACi0oO55mpSiqKdby91MV+Fl+4=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=OF8eW1MTi8GtTtMhF7f6Hw3mYLDmwwSVrAg1Uid2hdNSjvUEsruxxFFMgQrqLsyv L32Kk1lf2c6qvc80HAZOVnMOBsEP0jpDwdd1MyXQcDTqK2IKO1+q2OLIv6NaTncwc KkqvQK+wxrKR/7HMsVzsL4lX1ez1iug16xW/zn76FLQuBvlADerApnpTn0aVojIsk /bL2cbIxyAWs65dihx1k6luOx0qnrKzbvy3m+FENyYfo341tIW1b5aUaAuyYXU2uG 3YIOevGe7cXStXATIAYO9IPI/pmwTkwUSJVjRyvkKadrpdN2TLw1RsAb/UgOCxxV7 CLXz8aYKyL6UXqS60w== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.182]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MrhUK-1sxv7l16Au-00aJ30 for ; Sat, 15 Feb 2025 20:01:45 +0100 Message-ID: Date: Sat, 15 Feb 2025 20:01:44 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: openvpn-devel@lists.sourceforge.net References: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> Content-Language: de-CH In-Reply-To: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> X-Provags-ID: V03:K1:dlHPByRidVftoEPdjShrwYXKIsTaIT080DuiHmG6vDv868H6cn8 GIm/gkPTQTYS+gK+lsZ5sgRghxZl4H59OgpEYf7Cm+BRTdbxzQYFACiYcyeMIBv4UaiUAGJ kPdiKjOLYBD1qoYVR+8DwMFxuCk+B8D+couGSbaeXysnRzRN734h5nsFdkr/cO6eID5fym9 OfecoAEVooy7lxW8qDkCA== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:4Ue/10zUnbc=;AAvRR/2M7iH8eiCdpkx9RLSE6It rWtBjH/ZSjmcWCEe9RnnmraprhCmHPfU0I0GiU7iXne7bp3omSJ3aQTeNWDLwIBDVbD7PT+pz dIE+KyElYd7uLcAIit+IaWHHBbf3gtG/HRSmSU8jCdGnFPpgKfW9J4Dn+UiQRbvJLmyv7PQ0e v/v6/XaxMk94/FyP5bYOS58l9lj6bb9QCs/Tw7rPhudgOdEw84pDk5s+E7RJezNnxPKumy+wc UrCOEyB0ulgWCeQ/jjE8SRhe81KzLhK3N0lVKM56PVHW5HSl4cDMpInGAWk0anHUqJcuw7qg4 4RZVi13cjwgL9zB1+SKWarAZGUZSpG3rEq0PT8Fj7LsLumQGgXJmhRPgorl5cJWcbT3hGqEGw dtIKx//4TaWeLCp+Uc67/wJhVVtzpRr1KZr4RVHd1rDNuz+H4WhP1wGqU9rldsIdf1mLgLBrO jFvB4vszyPoVXsTF4MTS0bLRmsK7hpO7jzX0fCk2uaCGoZIB12cvtK9hSebQ1Dchj6nIstP91 ag4oZXlT+THYnLQ/zmiyT0DUHvqp+eoHz3kgE3QcjOwIArk7P34NeHInF0JQWR+Y3suHU0mSt vPAUdXOe/pQd31tJNXD8usqVcJfJVabbR8UFC7FYN/tFLZCO/EpCvYS/v1RoNoPjt5A7LUh39 4h3gHqUt4zZKADRT7jYe4a5Ox9q9i97bjklpTzo14VMgz9tmtUCT+pjaI4k5jztFQd5eLa+yx PsRI5jPGvu8lFFUp/JkOIrCZHfe5nT2U0GkVSk6c+48zHXi4IcxEQAg3UWNv/kkeesIpGDNPa KkYytFAGTDlksEq/Ni44K9PVETRPfY2fX1h2Qb1OXBvxeHyLFVQNFDa6xXsgP/CblA/Ygex7N Hj0UA3FNFFsA30A1/KcZnhSNv0ZZy4lB3GiqwJNR468O+AR4h/qKykRPRXxSdPmKNa+1Aj5p2 IpFOuJSNWOYpjkZqNRS5nRhWlJ1kjK6sAquFJQ0mov41vvJKfJSEJOkqMm9sOJiQyCXHVbi/B MqFg1nZMl851CPYTQoiZs7w9u+NHIIX2vvH1zJR/CScrpxwoAWOA9Xdwo17K5cCzZGDh70npK q6dBvzoTEbtVjbO9h2WlGqnPhkavBHcvy8CUOaLZ8Tn2Z3AEFCCSv+z5sBzFJFevoJxHcqZU4 eLeSThyjDDlJ56mpt9T+s6UewZjdFLVToGwogRWpfk592UMqjsjAIMDnDUU6HPFiUiW4/x+RT 67Kvsl95c9UQkvkaS/vEWopBkrsCcMeOpRLADvs7yJtYsduzuO7+siJVMZxiNFjotSZwfyl8D Ovki8q+IH52kDXRf2EqFf8ihQd8mctLXbVAN3G7xzxKJ52mk1lBNJXf5+3L4DedOGx5r9qyWR YysehUWFpDEvu5KxDgTFu1tA/k4LYLu1J5O7CmmqJdh+b79v/dKo7Ltkb9zTAfV4Vn4WksQsj /8sypUg== X-Spam-Score: -0.8 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When built against OpenSSL, the parameters of the x509-username-fields option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0] which accepts "long names and short names [...] as well as n [...] Content analysis details: (-0.8 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.20 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.20 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.20 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist [URIs: docs.openssl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.20 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tjNQK-00078w-U6 Subject: [Openvpn-devel] [PATCH 2/2] Document x509-username-fields oid usage X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1824151171897175900?= X-GMAIL-MSGID: =?utf-8?q?1824151171897175900?= When built against OpenSSL, the parameters of the x509-username-fields option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0] which accepts "long names and short names [...] as well as numerical forms." Because of this, you can for example use `x509-username-field 2.5.4.41` to make OpenVPN read the `name` field [1]. x509-username-fields is currently not implemented for mbed TLS, so that can be ignored. [0] https://docs.openssl.org/1.1.1/man3/OBJ_nid2obj/ [1] https://oidref.com/2.5.4.41 Signed-off-by: Corubba Smith Acked-by: Gert Doering --- doc/man-sections/tls-options.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.48.1 diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 7882e924..0638d095 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -744,11 +744,13 @@ If the option is inlined, ``algo`` is always :code:`SHA256`. :: x509-username-field emailAddress + x509-username-field 1.2.840.113549.1.9.1 x509-username-field ext:subjectAltName x509-username-field CN serialNumber - The first example uses the value of the :code:`emailAddress` attribute - in the certificate's Subject field as the username. The second example + The first two examples use the value of the :code:`emailAddress` attribute + in the certificate's Subject field as the username, where the first example + uses the name while the second example uses the oid. The third example uses the :code:`ext:` prefix to signify that the X.509 extension ``fieldname`` :code:`subjectAltName` be searched for an rfc822Name (email) field to be used as the username. In cases where there are